CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-31235 – WordPress Participants Database Plugin <= 2.4.9 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-31235
03 May 2023 — The Participants Database plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.9. • https://patchstack.com/database/vulnerability/participants-database/wordpress-participants-database-plugin-2-4-9-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2276 – WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.10.7 - Unauthenticated Insecure Direct Object Reference to Arbitrary User Password Change
https://notcve.org/view.php?id=CVE-2023-2276
03 May 2023 — The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 2.10.7. • https://lana.codes/lanavdb/3a841453-d083-4f97-a7f1-b398c7304284 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0766 – Newsletter Popup <= 1.2 - Record Deletion via CSRF
https://notcve.org/view.php?id=CVE-2023-0766
02 May 2023 — The Newsletter Popup WordPress plugin through 1.2 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks as the wp_newsletter_show_localrecord page is not protected with a nonce. The Newsletter Popup plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2. • https://wpscan.com/vulnerability/90a1976c-0348-41ea-90b4-f7a5d9306c88 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30869 – WordPress Easy Digital Downloads Plugin 3.1-3.1.1.4.1 is vulnerable to Privilege Escalation
https://notcve.org/view.php?id=CVE-2023-30869
02 May 2023 — The Easy Digital Downloads plugin for WordPress is vulnerable to Unauthenticated Arbitrary Password Resets to Privilege Escalation in versions 3.1 to 3.1.1.4.1. • https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-1-1-4-1-unauthenticated-privilege-escalation-vulnerability? • CWE-287: Improper Authentication CWE-620: Unverified Password Change •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1938 – WP Fatest Cache < 1.1.5 - Blind SSRF via CSRF
https://notcve.org/view.php?id=CVE-2023-1938
02 May 2023 — The WP Fastest Cache WordPress plugin before 1.1.5 does not have CSRF check in an AJAX action, and does not validate user input before using it in the wp_remote_get() function, leading to a Blind SSRF issue The WP Fastest Cache plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.1.4 via the 'check_url' function. • https://wpscan.com/vulnerability/92b1c6d8-51db-46aa-bde6-abdfb091aab5 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2032 – Custom 404 Pro < 3.8.1 - Multiple SQL Injection
https://notcve.org/view.php?id=CVE-2023-2032
25 Apr 2023 — The Custom 404 Pro WordPress plugin before 3.8.1 does not properly sanitize database inputs, leading to multiple SQL Injection vulnerabilities. The Custom 404 Pro plugin for WordPress is vulnerable to SQL Injection via the 's' parameter in versions up to, and including, 3.8.0 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. • https://wpscan.com/vulnerability/17acde5d-44ea-4e77-8670-260d22e28ffe • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 11%CPEs: 1EXPL: 1CVE-2023-0600 – WP Visitor Statistics (Real Time Traffic) < 6.9 - Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2023-0600
24 Apr 2023 — The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 6.9 does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks. The WP Visitor Statistics (Real Time Traffic) plugin for WordPress is vulnerable to time-based blind SQL Injection via an unknown parameter in versions up to, and including, 6.8.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing... • https://wpscan.com/vulnerability/8f46df4d-cb80-4d66-846f-85faf2ea0ec4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-31078 – WordPress WP BrowserUpdate Plugin <= 4.4.1 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-31078
24 Apr 2023 — The WP BrowserUpdate plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.4.1. • https://patchstack.com/database/vulnerability/wp-browser-update/wordpress-wp-browserupdate-plugin-4-4-1-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-31086 – WordPress Simple Giveaways Plugin <= 2.46.0 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-31086
24 Apr 2023 — The Simple Giveaways plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.46. • https://patchstack.com/database/vulnerability/giveasap/wordpress-simple-giveaways-plugin-2-45-1-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-31089 – WordPress Video XML Sitemap Generator Plugin <= 1.0.0 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-31089
24 Apr 2023 — The Video XML Sitemap Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.0. • https://patchstack.com/database/vulnerability/video-xml-sitemap-generator/wordpress-video-xml-sitemap-generator-plugin-1-0-0-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •